Update on the ICQ 7 update issue
(This is a follow-up to my original posting on a security issue in ICQ 7)
This is what I sent to Bugtraq today after testing the new ICQ 7.4:
UPDATE:
This week, ICQ 7.4 (build 4561) was released. Even though the original version of my exploit does not work anymore, the vulnerability was not resolved: ICQ only changed the product ID that is included in the path to the update file. If every ocurrence of “30009” in both python files (see original announcement below) is replaced by “30011” and afterwards, a new update.xml is generated using build_update_files.py, the attack will still succeed.
Note to ICQ engineers if they’re reading this: To really fix the issue, introduce cryptographically signed update files.
If you’re still using the original ICQ client, I can only urge you to switch to another client such as Pidgin. I wouldn’t trust a company that doesn’t even offer an email address to report security issues and that tries to fix security issues in such an inept way…
Also have a look at the clarification on the security issue’s impact.